![Page 1: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/1.jpg)
Session Hijacking
![Page 2: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/2.jpg)
2
Objectives
• Define session hijacking
• Understand what session hijacking entails
• Identify the styles of session hijacking
![Page 3: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/3.jpg)
3
Objectives (continued)
• List some session-hijacking tools
• Explain the differences between TCP and UDP hijacking
• Note measures that defend against session hijacking
![Page 4: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/4.jpg)
4
TCP Session Hijacking
• Hacker takes control of a TCP session between two hosts
• TCP session can be hijacked only after the hosts have authenticated successfully
– Session cannot be initiated until the authentication
process is finished
![Page 5: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/5.jpg)
5
TCP Session Hijacking (continued)
![Page 6: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/6.jpg)
6
Session Hijacking – Hacker’s Point of
View
• TCP works with IP to manage data packets
• TCP tracks the packages sent to the receiver
• One popular method of session hijacking is using source-routed IP packets
• If source routing is turned off
– The hacker can use blind hijacking
– Guessing the responses of the two machines
• Hacker can also be inline between B and C, using a sniffing program to follow the conversation
![Page 7: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/7.jpg)
7
Session Hijacking – Hacker’s Point of
View (continued)
![Page 8: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/8.jpg)
8
Session Hijacking – Hacker’s Point of
View (continued)
• Hacker could find problems for two reasons:
– Host computer that has been hijacked will continue to
send the packets to the recipient
– Recipient gives an ACK to the host computer after
receiving packets from the hacker’s computer
![Page 9: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/9.jpg)
9
Session Hijacking – Hacker’s Point of
View (continued)
![Page 10: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/10.jpg)
10
Session Hijacking – Hacker’s Point of
View (continued)
![Page 11: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/11.jpg)
11
Session Hijacking – Hacker’s Point of
View (continued)
![Page 12: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/12.jpg)
12
Session Hijacking – Hacker’s Point of
View (continued)
• Continuous ACK Transfer
– Three ways to stop a continuous ACK transfer
• Losing the ACK packet
• Ending the connection
• Resynchronizing the client and server
![Page 13: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/13.jpg)
13
TCP Session Hijacking with Packet
Blocking
• Packet blocking solves the ACK storm issue
– And facilitates TCP session hijacking
• ACK storm happens because the attacker was not in a place to stop or delete packets sent by trusted computer
• Attacker must be in control of the connection itself
– So that the session authentication takes place
through the attacker’s chosen channel
![Page 14: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/14.jpg)
14
![Page 15: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/15.jpg)
15
TCP Session Hijacking with Packet
Blocking (continued)
• Hacker can wait for the ACK packet to drop
– Or manually synchronize the server and client records
by spoofing
• If a hacker can block the packets
– Can drop exact number of packets desired for
transfer
![Page 16: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/16.jpg)
16
Methods
• Route Table Modification
– All computers that use TCP/IP keep a route table
– A route table shows the way to the address sought
• Or way to nearest source that might know the address
– Route table has two sections
• Active routes and active connections
– If the route table can’t locate a perfect match of the IP
address
• It searches for the closest possible match in the list of
network addresses
![Page 17: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/17.jpg)
17
![Page 18: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/18.jpg)
18
Methods (continued)
• Route Table Modification (continued)
– After the match is found, the IP address of Computer
A sends the packets to the IP address
– If the route table cannot find a match, it refers the
request to the network gateway
– Active connections section shows the network
addresses of the computers
• That are connected with the host computer
![Page 19: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/19.jpg)
19
![Page 20: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/20.jpg)
20
![Page 21: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/21.jpg)
21
Methods (continued)
• Route Table Modification (continued)
– Hacker changes the route table
– Host computer assumes that the best possible path
for the transfer of data packets is through the hacker’s
computer
![Page 22: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/22.jpg)
22
Methods (continued)
• Route Table Modification (continued)
– Hackers can modify a route table using two methods
• Erase all necessary records from the route table
– And then provide the hacker’s own IP address as
the default gateway address
• Change the corresponding route in the route table of
the gateway router
![Page 23: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/23.jpg)
23
![Page 24: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/24.jpg)
24
Session Hijacking Tools - Hunt
• Developed by Pavel Krauz
– Inspired by Juggernaut
• Performs sniffing and session hijacking
• Menu options: listing, watching, and resetting connections
• Hunt tool can hijack a session through ARP attacks
![Page 25: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/25.jpg)
25
Hunt (continued)
• Hunt allows hacker to synchronize the connection among the host and the server
– During session hijacking
![Page 26: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/26.jpg)
26
UDP Hijacking
• User Datagram Protocol (UDP)
– Connectionless protocol that runs on top of IP
networks
• UDP/IP provides very few error recovery services
– Offers direct way to send and receive datagrams over
an IP network
– Used primarily for broadcasting messages
![Page 27: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/27.jpg)
27
UDP Hijacking (continued)
• More vulnerable to hijacking
– Hacker needs only to sniff the network for a UDP
request for a Web site and drop a spoofed UDP
packet in before the Web server responds
![Page 28: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/28.jpg)
28
Prevention and Mitigation
• To defend against session hacking, use encrypted protocols and practice storm watching
![Page 29: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/29.jpg)
29
Encryption
• Hacker needs to be authenticated on the network to be able to successfully hijack a session
• If the data transfer is encrypted
– It is far too complicated and time consuming to get
authenticated
• Standard protocols like POP3, Telnet, IMAP, and SMTP are excellent targets
– Because they transfer data as plaintext
![Page 30: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/30.jpg)
30
Encryption (continued)
![Page 31: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/31.jpg)
31
Encryption (continued)
![Page 32: Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place](https://reader030.vdocuments.net/reader030/viewer/2022021510/5aa9e2f17f8b9a6c188d86a2/html5/thumbnails/32.jpg)
32
Storm Watching
• Refers to setting an IDS rule to watch for abnormal increases in network traffic
– And to alert the security officer when they occur
• An unexpected increase in traffic could be evidence of an ACK storm
• Packet size can be cached for a short period
– Two packets with the same header information but
different sizes could be evidence of a hijacking in
progress